PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43336 Git CVE debrief

CVE-2026-43336 concerns a Linux kernel ChaCha implementation cleanup issue: a local stack variable named permuted_state was left intact after permutation, and because the permutation is invertible, the original state—and therefore key material—could be reconstructed from that temporary if stack contents were exposed. The fix explicitly zeroizes the buffer before it leaves scope to reduce residual secret material on the stack.

Vendor
Git
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-11
Advisory published
2026-05-08
Advisory updated
2026-05-11

Who should care

Kernel maintainers, distro security teams, embedded vendors, and operators relying on Linux kernel crypto or RNG paths should track this issue and ensure the fix is backported where needed.

Technical summary

The CVE description says the local variable permuted_state in lib/crypto/chacha can be used to recover the original state after the ChaCha permutation because the permutation is invertible. The remediation wipes this temporary before scope exit to reduce residual secret material on the stack. The supplied corpus does not describe a concrete exploit chain, only the confidentiality concern and the code-level hardening change.

Defensive priority

High, especially for environments that depend on Linux kernel crypto or RNG behavior and for systems where kernel stack disclosure would materially increase risk.

Recommended defensive actions

  • Identify affected kernel builds in your fleet, including vendor and distribution backports, rather than relying only on upstream version numbers.
  • Apply the kernel fix or the appropriate stable backport referenced by the official kernel.org commit links in the source corpus.
  • Rebuild, redeploy, and verify running kernels after patching; prioritize systems handling sensitive cryptographic material.
  • Review adjacent kernel crypto/RNG code paths for similar stack-secret zeroization gaps and incorporate hardening checks into your patch review process.

Evidence notes

The supplied corpus shows CVE publication at 2026-05-08T14:16:43.383Z and modification at 2026-05-11T08:16:10.140Z. NVD records the issue with CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N and links to official kernel.org stable references for the fix. The description states that permuted_state is sufficient to recover the original state because the ChaCha permutation is invertible, and that the remediation is to explicitly zeroize the temporary before it leaves scope. No KEV listing, ransomware linkage, or exploit details are present in the supplied corpus.

Official resources

Publicly disclosed in the supplied CVE and NVD records on 2026-05-08 and updated on 2026-05-11. No Known Exploited Vulnerabilities listing is present in the corpus.